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Technical Note: 


Overview of the CRASS Server 


This technical note describes the following aspects of the CRASS 
(Combined Registration and Authentication Script Server) subsystem: 


Introduction 


Introduction on page 5 
Design on page 8 
Event Flows on page 12 


— Registering AIM Accounts on page 12 





— Registering Community Groups on page 13 


— Registering Community Groups on page 13 





— Registering OOBE Accounts with crass_billing on page 14 





Rate Limiting on page 16 


Variables and Return Codes on page 18 





There are two sets of repositories for accounts—the Master File for AOL 
accounts and MOREF (Master OSCAR Registration Facility) for AIM 
accounts—and two sets of servers that manage the repositories. The two 
different repositories must coordinate so that newly created accounts have a 
unique screenname. 


AIM screennames are used in many products, for example, Netscape’s 
Netcenter, MyNews AOL web membership, Digital Cities, and through 
many partners’ web pages. 
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Audience 


The CRASS server registers AIM, AOL web, OOBE, and community 
groups in a common namespace. 


CRASS facilitates the creation of a new mailbox in three ways: 


¢ During registration 
¢ Through a request from another SAPI server 
¢ Through the EWOKS gateway 


CRASS provides the following specific services : 


Table 1: CRASS Services 





Service Name Description 





crass_create Registers an AIM screen name and password using 
the DES data encryption standard for a new user of a 
product who is not an America Online user. 


crass_create_rsa Registers an AIM screen name and password using 
the RSA data encryption standard for a new user of a 
product who is not an America Online user. 


crass_mbox_create Creates a mailbox for an existing AIM account. It 
requires screen_name as input. CRASS looks up the 
screen name in MORF (Master OSCAR Registration 
Facility) to get the promo code. Then CRASS sends 
this information to a mail_admin server to attempt to 
create a mailbox for that AIM account. 


crass_reuse Registers a screen name and password using the 
DES data encryption standard for a new user of a 
product who has an America Online screenname. 


crass_reuse_rsa Registers a screen name and password using the 
RSA data encryption standard for a new user of a 
product who has an America Online screenname. 





Use of this technical note is limited to internal America Online employees. 
The pages of this technical note are confidential material. Please remember 
that only those who have read and agreed to the terms and conditions of the 
America Online confidentiality agreement, or those who have applicable 
nondisclosure agreements, may see this technical note. 
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Providing Feedback 


If you have comments, corrections, or questions related to this technical 
note, please send e-mail to screen name TDocHIp. Please include the name 
of this technical note when providing your feedback. 


Additional Resources 


For more information on EWOKS, see the Using the EWOKS Web 
Gateway Server technical note at http://dev.office.aol.com/SDTechDocs/ 
behind the AOL firewall. 
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Design 


Figure 1 shows an overview of the CRASS server in relation to the various 
processes it connects to: 
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Figure 1: CRASS Design 
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The CRASS processes and components are described as follows: 


asasn (AOL Suggest A 
Screen Name) 


Authorizer 


BERP server 


BOSS (Basic OSCAR 
Server) 


DRUL (Distributed 
Replicated User List) / 
drul_ipt 


FEP server 


EWOKS 
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A server that suggests alternate screen names to 
members during registration and then varies the 
screen name through a sequence of word 
transforms after it receives a number of words in 
the requests used to derive screen names. 


A server that validates the credit card of a 
potential new AOL account by processing an 
authorization for a credit card transaction. 


A UNIX-based back-end routing processor 
(BERP) server that is part of the comm 
subsystem. A BERP contains berp processes that 
route the client messages to the appropriate host 
process. BERP is the heart of the distributed 
network, interfacing the FEPs on the Ethernet to 
the FDDI ring where various servers are 
connected. 


A server that implements the basic OSCAR 
services, for example, login/logoff, locate, Instant 
Message, Buddy List and third-party referral 
services; during registration CRASS asks BOSS 
if the screen name the person is trying to register 
matches that of someone signed onto AIM; if it 
does, then registration is refused. 


A UNIX-based application that maintains the list 
of members currently logged on to AOL. drul_ipt 
looks up the IP address to make sure that the 
account does not have parental controls. 


A UNIX-based front-end processor (FEP) server 
that is part of the comm subsystem and is the host 
interface to the public data networks. A FEP 
contains multiple terminal handler (tih) processes 
that serve each of the client computer-networked 
online connections. 


External Web Oscar Knowledge Server web gate- 
way that accesses services on the AOL host com- 
plex from the web.The EWOKS web gateway 
server is a web server that accepts web-based 
requests for services residing on the AOL host, 
making the services available from the Internet. 
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group_names 


Internet 


ip_tunnel 


mail_admin_sw 


Master File 


MORE (Master 
Registration OSCAR 
Facility) / MORF DB 


Namer 


namergate 


Newman 


OOBE (Out of Box 
Experience) 
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A server used so that community groups can share 
the same namespace as AOL and AIM; 
group_names checks to make sure that the group 
name is unique, creates it in MORF, and sets a 
flag that it is a group. 


A wide area network connecting many networks 
in industry, education, government, and research. 


A process that acts as a network gateway for 
internet protocol packets sent between the 
Internet and America Online clients. 


A process that CRASS uses to get the mail_admin 
server to set up mailboxes for new accounts. 


A database that stores member account informa- 
tion, for example, screen names, passwords, bill- 
ing cycle, and server bits. 


A master database for all OSCAR accounts in the 
OSCAR domain. 


A server that checks each possible screen name is 
passed to see if it is available in the AOL master 
file. Namer also checks the potential screen name 
for vulgarity. 


A gateway between regadm and namer, SORE, 
mail_admin_sw, group_names, and authorizer. 


A server that validates e-mail addresses of new 
users. 


A feature of Microsoft Windows 98 that lets users 
select their Internet provider when they first fire 
up the operating system; AOL created a special 
series of web-based registration screens to handle 
OOBE registrations and then route them into 
EWOKS and CRASS. 
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OSCAR (Open System OSCAR is an implementation of bucky 


for Communication 


Access in Realtime) 


Promo 


Public Data Network/ 
modem 


regadm 


router (WWW and 
internal) 


SORE (Simple 
OSCAR Registration 
Entity) 


SNAC 


TurboWeb 
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technology that supports AOL Instant Messenger, 
Buddy Lists, and Locate. OSCAR server 
processes are called bucky balls, because they 
were represented by round shapes in early design 
diagrams. 


Promotional code assigned by America Online to 
track registrations. 


A network that includes phone lines, point of 
presence (POP) modems, and packet switching 
networks using a transmission control protocol 
(TCP). 


A CIBS server that searches the MORF database. 
Regadm sends a message to regmail when a new 
account is created. This message will cause 

regmail to send a welcome email to the new user. 


An electronic device that examines each packet of 
data it receives and then sends it onward toward 
its destination. WWW routers distribute packets 
on the Internet; internal routers distribute packets 
inside the AOL host system. 


A server used in crass_billing for new OOBE 
accounts to validate the name, address, and credit 
card information. SORE is also used to create 
masterfile records for CRASS in the OOBE 
process. 


The basic communication unit that is exchanged 
by OSCAR PC clients and servers. 


The web subsystem that contains the servers, 
processes, web cache, switches, routers, and other 
network equipment to support the high volume of 
web access requests from America Online client 
computers. For more information, see the 
Overview of the TurboWeb Subsystem technical 
note. 


11 America Online Confidential 


Technical Note: Overview of the CRASS Server May 2000 


Event Flows 


The CRASS subsystem supports the following events according to the 
design depicted in Figure 1, CRASS Design, on page 8: 


¢ Registering AIM accounts 

¢ Registering AOL accounts from the web 

e Registering community groups 

e Registering OOBE accounts with crass_create and crass_billing 


Registering AIM Accounts 


crass_create and crass_reuse are the two transactions used in a new AIM 
registration. 


crass_create 


When a crass_create transaction comes in, the process flow is as follows: 


1. Check with BOSS to make sure the name does not match that of 
someone signed on to AIM. 


2. Check with Namer to make sure the name is neither reserved, vulgar, 
blocked, or in the Master File. 


3. Check with Newman to verify the e-mail address exists. 


4. Check with DRUL to make sure the user's IP address does not match 
that of a parentally controlled screenname that is signed on to AOL. 


NOTE: 1-4 above happen simultaneously. 
5. Create the account in MORF. 
6. CRASS notifies asasn of successful registrations. 


7. Ifthe promo code is a free mail promo code, CRASS initiates mailbox 
creation through mail_admin. 
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Ccrass_ reuse 


When a crass_reuse transaction comes in, the process flow is as follows: 


1. Check with BOSS to make sure the name does not match that of 
someone signed on to AIM. 


2. Check with Namer to make sure the name exists on AOL, that the zip- 
code supplied by the user matches that of the AOL account, and that the 
AOL screenname is not parentally controlled. 


3. Check with DRUL to make sure the user's IP address does not match 
that of a parentally controlled screenname that is signed on to AOL. 


NOTE: There is a subtle distinction between steps 2 and 3. In step 2 
CRASS checks the master file information to see if the screenname is 
parentally controlled. In step 3 CRASS checks the DRUL IP address 
information to see if the IP address does not match that of a parentally 
controlled screenname. CRASS does IP address lookups through 
DRUL IPT to find out if the screen name on that IP is parentally 
controlled since every person that signs onto AOL gets an IP address at 
sign-on. Steps 1-3 above happen simultaneously. 


4. Create the account in MORF with the same password as that of the 
AOL screenname (CRASS gets the password from Namer in step 2 
above.) 


Registering Community Groups 


Groups are maintained in a group database. CRASS ensures that whatever 
name is chosen for a group is unique in AOL namespace; in other words, 
that a group name doesn’t coincide with an individual screenname, as fol- 
lows: 


1. CRASS checks MORE and Namer to make sure it is not a duplicate of 
an already existing account. 


2. Ifitis not a duplicate, CRASS creates the account in MORE and sets a 
flag that it is a group. 
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Registering OOBE Accounts with crass_billing 


OOBE registrations use two different transactions—crass_create as 
described in Registering AIM Accounts on page 12 and then crass_billing. 
In the billing transaction, the additional CRASS functions occur as follows: 


1. CRASS receives a registration request and sends the information to 


SORE. 


2. The name, address, and credit card information come into SORE for 
validation. The results of every part of the validation are sent back to 


CRASS. 


3. Authorizer runs through a credit card authorization to validate the card. 


4. If the credit card is valid, CRASS sends a message back to SORE to 


create the account. 


crass_billing Transaction Information 


Table 2 shows the crass_billing required variables: 


Table 2: Required Variables 





Variable 


Description 





screen_name 


first_name 
last_name 
street 1 
street2 
street3 

city 

state 
country 
Zip_code 
day_phone 
eve_phone 
card_type 


card_number 


Screen name created through 
crass_create 


First name 

Last name 

Address line 1 

Address line 2 (optional) 

Address line 3 (optional) 

City 

State (2 character state code) 
Country (2 character country code) 
Zip code 

Daytime phone number (optional) 
Evening phone number 


Credit card type (visa, mc, amex, 
discover) 


Credit card number 
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Table 2: Required Variables 
Variable Description 
expire_mm Expiration month (2 digits) 
expire_yy Expiration year (2 digits) 


is_debit_card 


promo 


Is this a debit card? (O=no, 1=yes) 


Promo code (this is the one OOBE 
passes in on the URL) 





Table 3 shows the crass_billing return codes: 


Table 3: 


Return Codes 





Code 


Description 





01 
02 
03 
05 
06 
07 
08 
09 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 


Service unavailable 
Already billed 

Invalid screen name 
Invalid promo 

Too long First Name 
Too short First Name 
Invalid First Name 

Too long Last Name 
Too short Last Name 
Invalid Last Name 

Too long Address Line 1 
Too short Address Line 1 
Invalid Address Line 1 
Too long Address Line 2 
Too short Address Line 2 
Invalid Address Line 2 
Too long Apt/Suite# 
Too short Apt/Suite# 
Invalid Apt/Suite# 

Too long City 

Too short City 

Invalid City 

Invalid State 

Zip Too long 

Zip Too short 
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Table 3: Return Codes 

Code Description 

na Zip Code Invalid 

28 Invalid Country 

29 Day phone Too long 

30 Day phone Too short 

31 Day Phone Invalid 

32 Evening phone Too long 

33 Evening phone Too short 

34 Evening Phone Invalid 

35 Card type was not amex, mc, visa, 
discover 

36 Card number was longer than 16 
characters 

37 Card number was less than 12 
characters 

38 Card number was not all digits 

39 First digit of card number doesn't 
match card type 

40 Authorizer rejected the card 

4] Invalid Expiration Month 

42 Invalid Expiration Year 

43 Credit Card already on file 

44 Debit card selection is not valid 

45 No direct debit sibling 





Rate Limiting 


Rate limiting is a way to prevent hackers and malicious users from eating 
up the namespace with bogus registrations. Many different AOL servers 
provide rate limiting. In the case of CRASS, rate-limiting simply prevents 
a user from registering too many screen names or groups within a certain 
time frame. CRASS uses rate-limiting for AIM registration and for group 


creations. 


Rate limits work on the basis of an average of successful registrations 
during a given time period. The average is determined by a simple 


America Online Confidential 


16 


© America Online, Inc. 2000 


May 2000 Technical Note: Overview of the CRASS Server 


mathematical equation in which a number, N, is loosely defined as the 
number of events to average over. If a large N is chosen, then any particular 
event affects the average less, and vice versa. 


As an individual makes more and more attempts to register within a given 
timeframe, the average falls over time through the following four different 
threshold levels in succession: 


¢ Clear 
e Warn 

¢ Block 
e Severe 


When the user crosses below the Warn threshold, the CRASS server places 
the user in a warning state. While CRASS chooses to take no action against 
a user in the Warn state, other servers that are rate limited often choose to 
do so (for example, issue a warning popup or e-mail). 


When the user crosses the Block threshold, the user is considered rate 
limited. CRASS blocks the user from making any new registrations until 
the user’s average creeps all the way up above the clear level. 


Some other servers that use rate limiting take further actions against a user 
(for example, logging them off) when they cross the Severe threshold, but 
in the case of CRASS this level is not used because blocking any new 
registration attempts on the previous level is sufficient from the standpoint 
of CRASS’s functionality. 


CRASS has commands to create a rate limit list in the configuration file. In 
the list CRASS adds three different types of limits: 


¢ e-mail (averaged at two registrations per day) 
e IP address (averaged at 10 registrations per day) 


¢ Proxy IP address (averaged at a variable number depending on the 
proxy involved and the expected traffic on that proxy; proxy rate limits 
are always more loose than the normal IP address rate limit.) 


All e-mails and IP addresses can be specified through a catchall wildcard. 
In the case of proxy IP addresses, however, each specific known proxy 
must be designated in the configuration file. Sometimes users who register 
from proxies that are not in the CRASS configuration file are rate-limited 
on the first attempt because the 10 per day limit has been reached by 
multiple users registering from that proxy. 
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Variables and Return Codes 


The input variables and return codes for crass_create and crass_reuse are 
specified in the Using the EWOKS Web Gateway Server technical note at 
http://dev.office.aol.com/SDTechDocs/ behind the AOL firewall. 
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